in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Community Health Systems HIPAA Data Breach Second Largest, Company Has Cyber Insurance

One of the largest data breach items in the news this week is that of Community Health Systems, a Fortune 500 operator of general acute care hospitals.  With 206 hospitals in 29 states, it's no wonder that the latest HIPAA data breach could be affecting nearly 4.5 million people.  And while the use of encryption software could not have prevented this attack, it looks like a known bug was at the heart of the matter.

It makes me wonder if CHS will successfully get their cyber-insurance money.

Chinese Hackers

According to ibtimes.com (and many other media outlets), CHS fell victim to Chinese hackers who used a widely known security flaw to steal sensitive medical data belonging to 4.5 million patients.  Community Health Systems is apparently the second-largest chain of hospitals the US, which not only explains why so many people were affected but also why the hospital chain was a target.

The information that was stolen includes Social Security numbers, names, addresses, and other sensitive data.

Heartbleed: A Known Bug

According to a security consultant who was tipped off about the situation,
the hackers used the Heartbleed vulnerability to collect user credentials from the memory of a hospital device… and used them to log in through a… VPN. The attackers then extended their access into the company’s network. [ibtimes.com]
Heartbleed is a flaw that was discovered by a Google engineer.  It was made public in April of this year and caused something of a sensation as it pointed towards a zero-day vulnerability that could affect the whole of the internet.

Many companies were forced to update their security to stave off potential attacks. (In the case of major companies in the Fortune 500, you can strike off the word "potential."  The attacks were coming, and people knew it).

Insured

In a separate publication, pnj.com reported that CHS filed a statement with the SEC that it "won't take a financial hit because of the recent breach of security" since it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."

That's great news for the company.  But it's not going to be so cut and dry for them when it comes to collecting their money, I imagine.  For one thing, plenty of insurers have gone to court trying to get out of paying for such policies, usually based on a technicality (Of course.  What else?).  And for good reason, too.  The insurance payouts can be astronomical, and with 4.5 million people affected, you can bet it's not going to be on the cheap side.  Any insurer would be tempted to find a way out of making good on the contract.

The fact that this attack was (supposedly) carried out using the Heartbleed bug poses some challenges for CHS.  While the bug was made public in April, CHS stated in its SEC statement that "it thinks the breach came in April and June."  While one could argue that the April attack couldn't have been counteracted – implementing a solution across 206 hospitals takes time – making the same argument for the June attack is not as easy.  If it can be proved that other companies had successfully updated their online security to counter Heartbleed, things might get tough for CHS.

Perhaps the saving grace is that the "hospital device" that acted as a gateway to CHS's database requires the manufacturer to provide an update to the vulnerability.  As long as there wasn't an implementable solution, things would have been out of CHS's control, and it could argue that it had done everything technically possible to secure PHI.

Related Articles and Sites:
http://www.ibtimes.com/heartbleed-security-flaw-used-chinese-hackers-community-health-systems-hacking-1663646
http://www.pnj.com/story/news/2014/08/20/hospital-security-attack/14357141/
http://www.scmagazine.com/community-health-systems-attackers-exploited-heartbleed-bug-for-access-firm-says/article/367249/
 
<Previous Next>

HIPAA Laptop Encryption: NYU Langone Had A Laptop PHI Breach In April

HIPAA Laptop Encryption: Cedars-Sinai Announces Data Breach Tied To IT Employee

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.